Axios maintainer pwnage is fucking peak incompetence.
-
Axios maintainer pwnage is fucking peak incompetence. Critical shit is on the hands of fucking idiots. How the fuck are these guys not having separate computers for different tasks? Seriously... Or a fucking VM for the crap... Tech is available, tech is cheap. Everyone is a fucking moron... Damn...
-
Axios maintainer pwnage is fucking peak incompetence. Critical shit is on the hands of fucking idiots. How the fuck are these guys not having separate computers for different tasks? Seriously... Or a fucking VM for the crap... Tech is available, tech is cheap. Everyone is a fucking moron... Damn...
@osxreverser That's not even remotely near peak. Yes, they could have done better but … nobody is buying them a separate computer to use for stuff like this and if it's a side project they're not looking for more friction.
We have this conflict all over the open source world. We could really use a well-trusted organization (CNCF, Apache, Linux, etc.) making a major effort to help maintainers adopt trusted publisher build workflows, for example, but that wouldn't be cheap or fast.
-
@osxreverser That's not even remotely near peak. Yes, they could have done better but … nobody is buying them a separate computer to use for stuff like this and if it's a side project they're not looking for more friction.
We have this conflict all over the open source world. We could really use a well-trusted organization (CNCF, Apache, Linux, etc.) making a major effort to help maintainers adopt trusted publisher build workflows, for example, but that wouldn't be cheap or fast.
@acdha Virtual machines are dirty cheap. There is no excuse. People are just incompetent and the whole thing is ridiculous the more you read into it. It can't just be fame and github stars, the increased responsibility demands increased friction, security and better processes. Otherwise it's just stupid risk everyone is taking, assuming the other side is able to behave reasonably secure.
-
@acdha Virtual machines are dirty cheap. There is no excuse. People are just incompetent and the whole thing is ridiculous the more you read into it. It can't just be fame and github stars, the increased responsibility demands increased friction, security and better processes. Otherwise it's just stupid risk everyone is taking, assuming the other side is able to behave reasonably secure.
@osxreverser @acdha People are *very* lazy. Any kind of friction at all is only ever accepted after unjustifiably expensive damage was done. When it comes to extra steps for themselves, even people with a phd in infosec forget how to calculate risk.
-
@acdha Virtual machines are dirty cheap. There is no excuse. People are just incompetent and the whole thing is ridiculous the more you read into it. It can't just be fame and github stars, the increased responsibility demands increased friction, security and better processes. Otherwise it's just stupid risk everyone is taking, assuming the other side is able to behave reasonably secure.
@osxreverser I'm aware VMs are cheap, but they're not magic. Stuff like the Trivy attack would've gotten any credentials shared inside the VM so you still need to work on the harder problem of friction. The Axios attack either would have popped the host or, if he tried to use Teams inside the VM, would have gotten all of the exposed credentials there which likely would have included their GitHub / NPM cookies if they thought they were working with a collaborator.
-
@osxreverser I'm aware VMs are cheap, but they're not magic. Stuff like the Trivy attack would've gotten any credentials shared inside the VM so you still need to work on the harder problem of friction. The Axios attack either would have popped the host or, if he tried to use Teams inside the VM, would have gotten all of the exposed credentials there which likely would have included their GitHub / NPM cookies if they thought they were working with a collaborator.
@osxreverser I'm not saying there's nothing they could have done better but that there are multiple hard problems here, none of them have easy solutions, and going around attacking OSS maintainers for not doing their unpaid labor the way you'd like is going to turn away more people than it helps.
What does work is better tools: e.g. what would it take to get to the point where most OSS maintainers have to tap a Yubikey each time they publish a release? (better, where you need n>1?)
-
@osxreverser I'm aware VMs are cheap, but they're not magic. Stuff like the Trivy attack would've gotten any credentials shared inside the VM so you still need to work on the harder problem of friction. The Axios attack either would have popped the host or, if he tried to use Teams inside the VM, would have gotten all of the exposed credentials there which likely would have included their GitHub / NPM cookies if they thought they were working with a collaborator.
@acdha You get a VM per task. A VM to use zoom/teams/slack for unknown stuff should be mandatory. Segregation is not a new concept. Yes, it increases friction but that's exactly the way it protects against this kind of crap. People can't keep sharing important resources, they need at least some segregation. VMs aren't invincible but they would solve most of these problems and introduce extra attacker friction.
-
@osxreverser I'm not saying there's nothing they could have done better but that there are multiple hard problems here, none of them have easy solutions, and going around attacking OSS maintainers for not doing their unpaid labor the way you'd like is going to turn away more people than it helps.
What does work is better tools: e.g. what would it take to get to the point where most OSS maintainers have to tap a Yubikey each time they publish a release? (better, where you need n>1?)
@acdha Unpaid labor is bullshit argument, sorry. It has nothing to do with following reasonable procedures to protect themselves and their users. Pushing code and risking everyone's security just for the sake of pushing code makes zero sense, paid or unpaid. What's the problem of tapping a Yubikey? Yes, it's annoying (I know it!) but it's the proper way to have speed bumps that solve enough problems. The world is different, people need to act different. Trust is way too cheap these days.
-
@acdha Unpaid labor is bullshit argument, sorry. It has nothing to do with following reasonable procedures to protect themselves and their users. Pushing code and risking everyone's security just for the sake of pushing code makes zero sense, paid or unpaid. What's the problem of tapping a Yubikey? Yes, it's annoying (I know it!) but it's the proper way to have speed bumps that solve enough problems. The world is different, people need to act different. Trust is way too cheap these days.
@osxreverser look, I get it, there are ways to prevent this. I'm just saying that if you dismiss the real reasons why people don't upgrade as “bullshit arguments”, you're not going to accomplish very much. If that worked, we'd have known decades ago because people have been trying shaming as a motivational technique since the beginning of open source and it's had very little success.
-
@osxreverser look, I get it, there are ways to prevent this. I'm just saying that if you dismiss the real reasons why people don't upgrade as “bullshit arguments”, you're not going to accomplish very much. If that worked, we'd have known decades ago because people have been trying shaming as a motivational technique since the beginning of open source and it's had very little success.
@acdha @osxreverser In my opinion, we should stop expecting developers to know everything about infra. It just doesn't work for vast majority of developers. They like and want to write code, they should focus on that. The release pipelines and all other bs should be managed by other (paranoid) specialists.
-
R relay@relay.infosec.exchange shared this topic
